Channels

Services

Mozilla's BrowserID offered as an alternative to OpenID

The classic way of logging into protected web sites usually starts with creating an account, picking a username, answering an email confirmation, doing password checks, often followed by a number of dialogs, and doing it for each and every site you want to log in to. The option of outsourcing logins and identity management is widespread – for instance, Yahoo, Facebook and Google use OpenID – but then there is the problem of vendor lock-in, data protection, and the complexity of implementation.

Now, Mozilla plans to considerably simplify the matter with its own standard. BrowserID is an open source project that is designed to work on all web sites – the Mozilla Foundation speaks of a "one-click experience" without additional verification; the only requirement is for users to have completed the email address confirmation process.

The new procedure is based on Mozilla's Verified Email Protocol. Instead of introducing a new token for authentication, people are to be able to use their email address for logins. The web site then verifies the address and its legal user via public-key cryptography.

The basic principle is that "proof of control" for email addresses is based on better authentication mechanisms than a simple username/password combination. It exploits the fact that hosting services that provide email addresses already have the infrastructure to check a person's identity, and here the process is used in order to ensure that an email account is assigned to a certain user. Unlike other sign-in systems, BrowserID does not send any information to the server about the web site being visited by the user – not even to the BrowserID server – thereby ensuring a greater amount of anonymity.

The login process is designed to work on all browsers, including the latest versions of Internet Explorer and various mobile browsers. The system is based on HTML and JavaScript, but Mozilla expects browsers to support BrowserID directly at some point.

One possible implementation of BrowserID: click to login
Source: Mozilla

The system is still experimental, though developers can also take a tutorial to get to know BrowserID. There is also a demonstration implementation at myfavoritebeer.org, where you can save the name of your favourite beer in the cloud (no doubt, so that you can remember what it's called anywhere, anytime). If users take a liking to the system, it could gradually consolidate current sign-in processes, such as OpenID. Developers may want to look at the code for BrowserID, a Node.js based server, available on github.